‘Cable Haunt’ Bug Plagues Millions of Home Modems

cable haunt security bug

The issue lies in underlying reference software used by multiple cable-modem manufacturers to create device firmware.

UPDATED

Multiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture that would allow an attacker full remote control of the device. The footprint for the affected devices numbers in the hundreds of millions worldwide.

Dubbed “Cable Haunt” by researchers at Lyrebirds, the bug (CVE-2019-19494) is found in cable modems across multiple vendors, including Arris, COMPAL, Netgear, Sagemcom, Technicolor and others. It originated in reference software written by Broadcom, researchers said, which has been copied by different cable-modem manufacturers and used in the devices’ firmware. The bug essentially allows a buffer overflow, which could enable a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim’s browser, according to the CVE writeup.

More specifically, “the cable modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality,” explained the researchers, in a technical paper on the attack. “The exploit is possible due to lack of protection against DNS rebind attacks, default credentials and a programming error in the spectrum analyzer.”

Lyrebirds researchers said that 200 million modems are potentially affected in Europe alone; they focused their research on European ISPs, many of which are already rolling out updates to fix the flaw. However, many of the same modems are used in North America, so Cable Haunt isn’t restricted by geography. Users can check to see if they’re affected using a test script that the researchers released in tandem with the bug details.

As far as U.S. ISPs, “we are rapidly testing all our in-home broadband equipment, determining any vulnerability and the best steps to mitigate, as needed,” a Cox spokesperson told Threatpost.

A Charter spokesperson meanwhile told us that Charter is “currently working with each of our vendors to determine if their equipment is vulnerable and when we could expect to see a firmware upgrade.”

Comcast, for its part, did not return a request for comment.

In a proof-of-concept (PoC) exploit, researchers were able to demonstrate a two-step attack: First, they compromised the spectrum analyzer component on board a modem, which resulted in local access. The spectrum analyzer uses a websocket for communication with the graphical frontend displayed in a browser, and a server must verify the relevant request parameters added by the browser. However, “because these parameters are never inspected by the cable modem, the websocket will accept requests made by JavaScript running in the browser regardless of origin, thereby allowing attackers to reach the endpoint,” researchers explained.

In the second step, they show that a DNS rebind attack can be used to gain remote access to the compromised spectrum analyzer. DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks.

“Without this DNS rebind attack, the spectrum analyzer would only be exploitable on the local network,” they wrote.

Through malicious communication with the endpoint, a buffer overflow can be exploited to gain control of the modem.

“The websocket requests are given as JSON,” the paper explained. “The parser which interprets this JSON request will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.”

If successfully exploited, the vulnerabilities can give attackers “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,” the researchers explained, adding that attackers could intercept private messages, redirect traffic, add the modems to botnets, replace their firmware and more. They could also direct the modem to ignore remote system updates, which could complicate any patching process.

This post was updated at 11:30 a.m. ET on Jan, 14, 2020 to include statements from the top U.S. cable companies.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles

Discussion

  • juanvaldezzzz on

    All these manufacturers who have just dropped-in reference code without a review, deserve to be dragged through the mud on this.
  • SailFast on

    According to their web site, the folks who discovered this vulnerability wrote: "Cable Haunt is exploited in two steps. First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. Secondly the vulnerable endpoint is hit with a buffer overflow attack, which gives the attacker control of the modem". So if I understand this sequence correctly; to stop the exploit from getting back on to the modem, why not just add a single F/W Rule on our LAN blocking access to the Internal address (space) of the the Cable Modem? For example if our LAN is assigned 192.168.1.0/24 and our modem (which is accessible from our LAN) has a management page on 192.168.50.1./24. Simply add a deny any/any rule for 192.168.50.1 (or even block the entire range provided there's nothing else in that range which you need access to) and we're done. Even if one of our endpoints unknowingly initiated the exploit, that traffic is now blocked from getting back to the modem, or am I missing something? Obviously besides the fact that not everyone has the ability to add a F/W rule, depending on what they are running for a Router or Firewall.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.